End of .html parsing ?

[Michael Wojcik]

Wrong. Lots of people use NoScript, and only turn Javascript on for
domains they know, and trust.

This is an article of faith with Jorge; he is not interested in
evidence to the contrary, which has been supplied many times.

Of course, the history of computing is full of visionaries who told us
that their fetish would soon be proved indispensable. None have been
right yet, but Jorge could be the first. For example, a virulent
pandemic might happen to wipe out nearly all of humanity, leaving only
a small population of dedicated Javascript users. (I see a Web 2.0
AJAX-based site for trading scavenging tips, etc.)

 

[Jorge]

This is an article of faith with Jorge; he is not interested in
evidence to the contrary, which has been supplied many times.

Does that someone (a developer) sometimes turns it off prove
anything ?
How many web surfers know how to turn it off or even what it is ?
That IEs are so vulnerable is your argument (Why does M$ don't want us
to use it ?) ?
Are Safaris or Chromes or FiereFoxes or Operas as vulnerable as IEs ?
You want some more of the form-comes form-goes tired-old web model ?
Because the web must move forward, right ?
What's in your opinion that will make it happen ?
Is it client-side Java applets, maybe ?
Is it Flash, maybe ?
Is it SilverLight ?
What is it ?

IMO, JavaScript, that's what it is. And some of HTML5 (or, IOW, a
better, richer more powerful browser's API). It's happening already,
now.

Of course, the history of computing is full of visionaries who told us
that their fetish would soon be proved indispensable. None have been
right yet, but Jorge could be the first.

Javascript's like the (Phoenix) "fire bird".

 

[Michael Wojcik]

Does that someone (a developer) sometimes turns it off prove
anything ?

It proves that "in the very near future" at least one person will be
happy to disable the ECMAScript engine in their browser, except for
trusted sites. It proves that your "secret" is an exaggeration with
nothing to substantiate it. An article of faith, in other words.

How many web surfers know how to turn it off or even what it is ?

Apparently somewhere around 55 million browsers have NoScript
installed. Chances are those represent more than a handful of users.
And that's just one way of disabling scripting.

Not that you've shown *why* the number of users with scripting
disabled matters to your claim.

That IEs are so vulnerable is your argument (Why does M$ don't want us
to use it ?) ?

Where did I mention IE?

Are Safaris or Chromes or FiereFoxes or Operas as vulnerable as IEs ?

For this purpose, who cares?

You want some more of the form-comes form-goes tired-old web model ?
Yes.

Because the web must move forward, right ?

No. There's nothing that requires "the web" (a facile abstraction in
any case) to "move forward" (also a facile abstraction).

Will developers continue to create web pages using novel technologies
and techniques? It seems likely they will, until something changes
radically, because that's the sort of thing people do. But that
probable fact does not impose any burden on me, or anyone else, as a
developer or as a user. It does not require me to add scripting to any
of my web pages; it does not require me to use the scripts on pages I
visit.

It certainly doesn't require I subscribe to your religion about the
glorious inevitability of ubiquitous scripting.

What's in your opinion that will make it happen ?

I don't know, and I don't particularly care. In IT, prediction is a
fool's game. I'll critique it as it appears on the scene.

Javascript's like the (Phoenix) "fire bird".

That metaphor is irrelevant to my claim. I didn't say ECMAScript would
disappear; I said that predicting everyone would be forced to use it
was like other similar, incorrect predictions of the past.

Once programming languages reach a decent (in some handwaving sense)
degree of penetration in mainstream IT, they never seem to go away.
COBOL, FORTRAN (now Fortran), and LISP are all still used for
real-world development. So is BASIC, if you accept VB as a BASIC
variant. Processor families come and go, but there are still people
writing in assembly for various current families.

ECMAScript is a fine language, and client-side scripting is fine. But
when you create a page that requires scripting, you're imposing a
constraint on your users that will not magically disappear in a year
because all browsers everywhere will then be executing all scripts in
every page they load.

I've written pages that required scripting; but they were ECMAScript
applications, and they were for a limited audience - often a handful
of scholars I know personally. That audience has no reason to use
those pages except to run those applications, and they would only run
those applications out of an interest in what the applications do.
Requiring scripting in those cases is not an encumbrance on a page
that a user might want or need to use for some other purpose.

Just today I tried to sign on to a commercial site to check the status
of an order. Their sign-on page requires scripting. Why? Because the
form is rejected if their client-side validation script hasn't run
(regardless of the fact that, as we all know, client-side validation
can be helpful for users but is useless for the server, since it's
entirely under the user's control). That's a page written by an idiot
who believes that all users will have scripting enabled.

 

[Jorge]

(...) That's a page written by an idiot
who believes that all users will have scripting enabled.

Well, the champion of idiocy is that user that turns off scripting and
expects the site to behave as if it was turned on...

 

[Bart Lateur]

Well, the champion of idiocy is that user that turns off scripting and
expects the site to behave as if it was turned on...

Everybody with a bit of a head on his shoulders knows that XSS is a
danger. The easiest way to thwart all XSS attacks is simply disallowing
scripting for unknown (and untrusted) domains. So that's why the default
for NoScript is to block scripting.

If you're an unknown small vendor, it is unreasonable to expect that
people have Javascript enabled.

Amazon and Ebay may expect Javascript to be enabled for their domains,
yes, especially for recurring customers. But tiny vendors? Nope, not for
first time visitors.

Javascript can be used to *improve* the user experience for recurring
customers. Having your site fall flat on its belly for first time
visitors is one way to make sure people leave as soon as possible.

 

[Bart Lateur]

Needless to say, I can hardly imagine that anybody has
JavaScript disabled. Several very popular web sites use it

Are you being obtuse on purpose?

Several people already pointed you to NoScript, which is a very popular
Firefox extension. It disables Javascript for every website by default,
and you have to effectively whitelist a site for it to be allowed to use
Javascript.

http://noscript.net/


Thus, plenty of people allow Javascript on sites they know and use
regularly, but not for a first time visit. Especially if they just found
your site through following a link or through a search engine.

 

[Osmo Saarikumpu]

Hans-Georg Michna kirjoitti:

Of course their statistics will tend towards optimism. But I
must say that I have yet to meet any user who doesn't have Flash
installed. YouTube comes to mind, which is rather popular.

Sure, I've got Flash installed, but it is only (or at least 99%) for
testing purposes. By default I surf with the Flashblock¹ extension
enabled, of course. Flashblock has a white list for the rare cases that
I can't find an alternative site which does not rely on Flash for the
information or functionality that I seek.

So that's neither JavaScript nor Flash by default. And in case you are
wondering, no adds² either ;-)

¹ http://flashblock.mozdev.org/
² http://adblockplus.org/en/

 

[Jorge]

Are you being obtuse on purpose?

Several people already pointed you to NoScript, which is a very popular
Firefox extension. It disables Javascript for every website by default,
and you have to effectively whitelist a site for it to be allowed to use
Javascript.

       http://noscript.net/

Thus, plenty of people allow Javascript on sites they know and use
regularly, but not for a first time visit. Especially if they just found
your site through following a link or through a search engine.

Poor guys, afraid of surfing, pitiful. Broken JS sandboxes, I guess,
right ?. And with each additional plugin the risk of an additional
hole in the sandbox... What OS did you say you use for surfing ? You
might want to switch.

 

[Bart Lateur]

What OS did you say you use for surfing ? You
might want to switch.

What does the OS you run on have to do with XSS?

 

[Jorge]

(...) Try being a little open minded and you might actually like it.

Yeah,
Want to be really (not just a little bit) open minded ?
Block everything !
Sheesh.

The Web === (HTML && CSS && JavaScript). Whether M$ likes it or not.

The web !== (Flash || client-side-Java || SilverLight || any other
magic web-fixing plugins ). Whether their respective owners like it or
not.

Do you know why the web's been stalled for almost a decade ?
Have you ever wondered why does the IE's sandbox look like a Gruyère
cheese ?
Don't you find it suspicious that the biggest software company in the
world's been unable to fix ~none of its browsers' tons of bugs and
vulnerabilities for so long, and is still unwilling ?

Do yourself and the humanity a favor: trash all your copies of IE
a.s.a.p. and ask everyone you know to do the same. The web would then
suddenly become a much better place. Just what M$ and its carcinogenic
browser doesn't want/allow it to be. And try not to fall into the
traps of third-party proprietary web-fixing "solutions". Once we get
rid of this cancer, we'll need not any magic pills. Normal, healthy
growth and evolution will just resume naturally. As would have
happened were it not for M$.

Want to help slow it down for a while more ? Then turn JavaScript off,
and ask others to "open their minds" and to turn it off too.

And this was supposedly a JavaScript group... ? :-(

 

[optimistx]

Garrett Smith wrote:
....

I happen to be a NoScript user. NoScript blocks Flash, too. Now you
know one. I am not the only NoScript user. Download NoScript to see
what it's all about. Try being a little open minded and you might
actually like it.
http://noscript.net/

How do you proceed in order to learn whether to turn javascript on or
have it off?
You try with javascript on a while? And if you find nothing special, you
turn it on permanently for that site?
Or some other means?

I am asking because in my coming bicycle simulator the program does not
even try to show something, if javascript is off. How to calculate anything
if
calculations are impossible?

 

[Bart Lateur]

How do you proceed in order to learn whether to turn javascript on or
have it off?
You try with javascript on a while?

No, it's the other way around. You start with Javascript off, as is the
default with NoScript, and if it doesn't work well, or well enough, and
there's enough reason the site is legit, turn it on. First temporarily
(just for as long as the browser runs), and if it's worth revisiting,
permanently.

And if you find nothing special, you
turn it on permanently for that site?
Or some other means?

I am asking because in my coming bicycle simulator the program does not
even try to show something, if javascript is off. How to calculate anything
if calculations are impossible?

Well, I think it's best to make use of the NOSCRIPT tag and show a
helful, if very simple, page, that explains what the page is for and
thus why it needs Javascript. Basically, a text much like the above
paragraph will do.

 

[optimistx]

Well, I think it's best to make use of the NOSCRIPT tag and show a
helful, if very simple, page, that explains what the page is for and
thus why it needs Javascript. Basically, a text much like the above
paragraph will do.

That makes sense. I'll improve the explanations in the noscript -tag and
possibly show some screenscaptures etc. In fact after thinking a little
more, I could show there results of other runs etc. Thank you for the
info.

 

[SAM]

Le 10/6/09 12:07 AM, Hans-Georg Michna a écrit :

The percentage of people with active script or Flash blockers
seems to be very low to me. I don't know a single one.

Now you know one : me. (JS enabled + Flash blocker)

And finally, even if a certain fraction of web users has such
blockers active, these may not be the target audience of rich,
dynamic web sites. In fact, they obviously aren't. -)

Which (interesting) "dynamic" site needs that Flash *must* be enabled ?
(JavaScript on most of merchant sites is required :-( )
Even on Youtube you can navigate with a Flash blocker, but hardly
without JS.

I'm still not convinced that I need to worry, but I try to make
sure that my dynamic web sites show at least some minimal
information to no-scripters. That's what I gained from this
discussion.

This is the minimum of what it is called "accessibility".

 

[Richard Cornford]

On Oct 6, 1:59 pm, Stefan Weiss wrote:

I've worked for companies who use a JS-driven web application
in their LAN, but forbid script execution for all other sites.
I've worked with companies who still mandate IE6, and won't
allow plugins.

Or corporations with only IE6 and with javascript enabled but (all)
ActiveX disabled for all Internet access, so no AJAX, Flash, etc. Of
course nobody really wants these employees of large organisations in
their "target audiences", despite the fact that it implies they have a
job, and so probably some disposable income.

I've worked on websites for public institutions where
accessibility is not only an option, but a legal
requirement.

As we are on an international newsgroup (rather than a regional one)
it is worth pointing out that legislation varies around the world. In
the UK we have the Disability Discrimination Act (1995), which may not
be specifically about web sites but does require that "access to and
use of information services ... facilities for entertainment ... the
services of any profession or trade ..."[1] not be subject to any
disability discrimination. There are not many web sites that would not
fall under reasonable interpretations of those phrases.

[1] <URL: http://www.opsi.gov.uk/acts/acts1995/ukpga_19950050_en_4 >

The point being that even if the legislation of one county says (or
implies) that accessibility is only of concern to, say, state/
government bodies, that is not necessarily the case in any other
country.

To sum it up, feel free to create your pages any way you want,
but don't be surprised if some visitors cannot access your
Ajax or Flash designs. And please, when you create pages for
somebody else, tell them about your convictions about the
ubiquity of JS/Flash/whatever and that not everybody shares
your opinion.

And particularly, if you are exposing someone to the risk of be being
sued, it would be a good idea to know that you are doing so, and tell
the client that that had been done, even if you judge the odds of his/
her actually being sued are negligible.

Richard.

 

[Jeremy J Starcher]

That makes sense. I'll improve the explanations in the noscript -tag and
possibly show some screenscaptures etc. In fact after thinking a little
more, I could show there results of other runs etc. Thank you for the
info.

Actually, it is better to show a 'You need Javascript to view this page'
and then, if Javascript exists, remove that message from the screen.[1]

Noscript is known to have problems because some anti-scripting methods
will remove Javascript from the page but yet, leave the noscript tags in
place, thus giving the worst of all worlds.

[1] This is this the method used by Youtube, for one example.

 

[Thomas 'PointedEars' Lahn]

That makes sense. I'll improve the explanations in the noscript -tag and
possibly show some screenscaptures etc. In fact after thinking a little
more, I could show there results of other runs etc. Thank you for the
info.

Actually, it is better to show a 'You need Javascript to view this page'
and then, if Javascript exists, remove that message from the screen.[1]
[...]
[1] This is this the method used by Youtube, for one example.

It is based on a jump to conclusion, though. Availability of "Javascript"
does not imply availability of a suitable DOM.

Noscript is known to have problems because some anti-scripting methods
will remove Javascript from the page but yet, leave the noscript tags in
place, thus giving the worst of all worlds

Would it not be better in the long run if we got these buggy "anti-scripting
methods" to recognize and remove the NOSCRIPT element, too?


PointedEars

 

[Jeremy J Starcher]

Bart Lateur wrote:
Well, I think it's best to make use of the NOSCRIPT tag and show a
helful, if very simple, page, that explains what the page is for and
thus why it needs Javascript. Basically, a text much like the above
paragraph will do.

That makes sense. I'll improve the explanations in the noscript -tag
and possibly show some screenscaptures etc. In fact after thinking a
little more, I could show there results of other runs etc. Thank you
for the info.

Actually, it is better to show a 'You need Javascript to view this
page' and then, if Javascript exists, remove that message from the
screen.[1] [...]
[1] This is this the method used by Youtube, for one example.

It is based on a jump to conclusion, though. Availability of
"Javascript" does not imply availability of a suitable DOM.

True, and as far as I can see, it would be the most desirable behavior.
If, and only iff, a suitable Javascript[1] environment has been found,
then one can remove the 'You either need Javascript or you need a better
Javascript.'

[1] A suitable environment, of course, has been feature tested to make
sure that the desired action can take place.

Would it not be better in the long run if we got these buggy
"anti-scripting methods" to recognize and remove the NOSCRIPT element, ^^^^^^^
too?

I'm not quite sure of the best nomenclature to use. Changing the
noscript tags into div tags (before it gets to the browser and therefore
before the HTML stream becomes nodes and elements) would be best. In my
most recent check, most of them simply filtered out "<noscript>" and
"</noscript>"

 

[Thomas 'PointedEars' Lahn]

I'm not quite sure of the best nomenclature to use.

The best nomenclature is undoubtedly that which is the correct one. There
can be no doubt that "NOSCRIPT element" (in HTML) or "noscript element" or
"`noscript' element" (in XHTML) is correct (disregarding punctuation
purists), and that "noscript tag" is not. For the tags that delimit the
`noscript' element are its start and end tag, <noscript ...> and
</noscript>, respectively.

See also (oft-posted)

Changing the noscript tags into div tags (before it gets to the browser ^^^^ ^^^^
and therefore before the HTML stream becomes nodes and elements) would be
best.
s/tags/elements/g

ACK

In my most recent check, most of them simply filtered out
"<noscript>" and "</noscript>"

Which could create invalid markup with the Strict variants.


PointedEars

 

[Garrett Smith]

Me, never.

Also remember, I was talking about people with "active script or
Flash blockers". The fact that you frequent this newsgroup
indicates to me that you switch NoScript off when you want to
see a scripted page. Consequently you don't count in my tally.

No, I don't "switch NoScript off"; that isn't how it works.

Optimism and idealism for javascript is good and well.

The problem is that javascript is often written in ways that worsen the
user experience, either through program design or UI design.

As was already mentioned, not every user owns or controls the
preferences of the computer s/he is using.

Sometimes javascript fails. When it does, then it is good to have a
fallback so that the page does not end up totally broken to the user.

According to downloads of NoScript, users do actively want to block
javascript.

All of this has been discussed and is available in the archives.